Understanding the LAITS implementation of JAMF Connect

What is JAMF Connect ?

JAMF Connect is a software product that allows us to use the UT Campus Single Sign-on system to authenticate a users login credentials on computers running macOS.  The UT Campus Single Sign-on system currently leverages Microsoft Azure Active Directory and Duo to do this.  JAMF Connect allows us to authenticate a users credentials regardless of whether they are on campus or off, all that is needed is an internet connection.

Understanding the impact of FileVault in macOS on provisioning machines with JAMF Connect installed

By Texas state law, all state-owned computers must either use encryption to protect user data stored on the device, or the computer must be configured so that it does not retain any user data.

Filevault in macOS is the Apple implementation of encryption on the data storage in a computer, very similar to Bitlocker on Microsoft Windows based computers.  When FileVault is enabled it requires that credentials be used to allow the encrypted information on a data storage device to be unlocked and read, without those proper credentials the data on the drive is unreadable.

When a computer is powered up Apple uses a firmware based boot loader to authenticate a known user on the computer and permits the data storage to be unlocked, and allow the loading of macOS. If the person attempting to use a computer is unknown they will be unable to unlock the data storage on the device and therefore unable to use it.

When a computer is provisioned for use, the first user account on a device is established with special permissions that give that user account immediate access to the machine when FileVault is enabled.

When using JAMF Connect on a computer one of the benefits is that the successfully authenticated user is automatically granted access to FileVault. Previously this had to be done by a system administrator manually or remotely by script.

NOTE: When delivering a LAITS provisioned FileVault enabled device it will be necessary to login with the deploy user account, boot macOS, and then logout in order to enable JAMF Connect to be used by the new user. On single user computers once the new users account is created the deploy user account is removed from the machine.

Off Campus Internet Considerations

While not exhaustive, we have tested numerous WiFi connections that are off campus and found that all of the ones we have tried (protected and public) have worked properly using the WiFi connectivity interface within the JAMF Connect login application.

Our Faculty and Staff implementation of JAMF Connect

On campus our LAITS Faculty and Staff implementation leverages the utguest wireless SSID to give the computer temporary internet access long enough to allow the first user to authenticate on the machine and establish their user account.  Once their user account is created the computer forcibly drops the utguest SSID and prompts the user to join the utexas SSID which is more appropriate and allows them access to UT faculty/staff network resources.

 New machines that use a wired Ethernet connection for internet connectivity will not need to use WIFI connectivity.

Our Research implementation of JAMF Connect

On campus our LAITS Research implementation leverages a configuration profile for WiFi that allows the machine to connect to the utexas-iot wireless SSID.  This setup requires additional setup in the XMP Network Portal including identifying the computer itself which must be in ISORA, as well as setting up a group Pre-Shared Key for authenticating to the utexas-iot wireless SSID.  The machine will then use the utexas-iot wireless SSID anytime a WIFI connection is needed.

New machines that use a wired Ethernet connection for internet connectivity will not need to use WIFI connectivity.

Our Student Lab and Classroom implementation of JAMF Connect

NOTE: These machines do not have FileVault enabled and therefore macOS boots immediately to the JAMF Connect login window.  We use a user profile policy that runs at the login window and is triggered when the previous user logs out to ensure these devices do not retain user data.

On campus our LAITS Student Lab and Classroom implementation leverages a configuration profile for WiFi that allows the machine to connect to the utexas-iot wireless SSID. This setup requires additional setup in the XMP Network Portal including identifying the computer itself which must be in ISORA, as well as setting up a group Pre-Shared Key for authenticating to the utexas-iot wireless SSID.  The machine will then use the utexas-iot wireless SSID anytime a WIFI connection is needed.

New machines that use a wired Ethernet connection for internet connectivity will not need to use WIFI connectivity.

Related pages